[PATCH] D66325: [analyzer] CastValueChecker: Store the dynamic types and casts
Nico Weber via cfe-commits
cfe-commits at lists.llvm.org
Wed Aug 21 20:09:24 PDT 2019
No worries. If it takes a while to analyze, please revert while you you
investigate, to keep trunk green.
On Wed, Aug 21, 2019 at 10:29 PM Csaba Dabis via Phabricator via
cfe-commits <cfe-commits at lists.llvm.org> wrote:
> Charusso added a comment.
>
> return C.getNoteTag(
> - [=] {
> + [=]() -> std::string {
> SmallString<128> Msg;
>
> That was the fix by rL369609 <https://reviews.llvm.org/rL369609>. Somehow
> it converted to a temporary object therefore that was an issue:
>
> [175/176] Running the Clang regression tests
> llvm-lit:
> /b/sanitizer-x86_64-linux-fast/build/llvm/utils/lit/lit/llvm/config.py:340:
> note: using clang:
> /b/sanitizer-x86_64-linux-fast/build/llvm_build_asan/bin/clang
> -- Testing: 15399 tests, 64 threads --
> Testing: 0
> FAIL: Clang :: Analysis/cast-value-notes.cpp (355 of 15399)
> ******************** TEST 'Clang :: Analysis/cast-value-notes.cpp'
> FAILED ********************
> Script:
> --
> : 'RUN: at line 1';
> /b/sanitizer-x86_64-linux-fast/build/llvm_build_asan/bin/clang -cc1
> -internal-isystem
> /b/sanitizer-x86_64-linux-fast/build/llvm_build_asan/lib/clang/10.0.0/include
> -nostdsysteminc -analyze -analyzer-constraints=range
> -analyzer-checker=core,apiModeling.llvm.CastValue -analyzer-output=text
> -verify
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/test/Analysis/cast-value-notes.cpp
> --
> Exit Code: 1
>
> Command Output (stderr):
> --
> =================================================================
> ==43337==ERROR: AddressSanitizer: stack-use-after-scope on address
> 0x7fa639ecfa30 at pc 0x000000c7ac85 bp 0x7fff83887490 sp 0x7fff83886c40
> READ of size 19 at 0x7fa639ecfa30 thread T0
> #0 0xc7ac84 in __asan_memcpy
> /b/sanitizer-x86_64-linux-fast/build/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:22
> #1 0xa328415 in copy
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/__string:225:50
> #2 0xa328415 in __init
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/string:1792
> #3 0xa328415 in basic_string
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/string:1813
> #4 0xa328415 in str
> /b/sanitizer-x86_64-linux-fast/build/llvm/include/llvm/ADT/StringRef.h:220
> #5 0xa328415 in operator basic_string
> /b/sanitizer-x86_64-linux-fast/build/llvm/include/llvm/ADT/StringRef.h:247
> #6 0xa328415 in __call<(lambda at
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Checkers/CastValueChecker.cpp:113:7)
> &>
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/__functional_base:317
> #7 0xa328415 in operator()
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1540
> #8 0xa328415 in
> std::__1::__function::__func<getNoteTag(clang::ento::CheckerContext&,
> clang::ento::DynamicCastInfo const*, clang::QualType, clang::Expr const*,
> bool, bool)::$_0,
> std::__1::allocator<getNoteTag(clang::ento::CheckerContext&,
> clang::ento::DynamicCastInfo const*, clang::QualType, clang::Expr const*,
> bool, bool)::$_0>, std::__1::basic_string<char,
> std::__1::char_traits<char>, std::__1::allocator<char> > ()>::operator()()
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1714
> #9 0xa32751d in operator()
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1867:16
> #10 0xa32751d in operator()
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:2473
> #11 0xa32751d in operator()
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h:259
> #12 0xa32751d in __invoke<(lambda at
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h:259:23)
> &, clang::ento::BugReporterContext &, clang::ento::BugReport &>
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/type_traits:3501
> #13 0xa32751d in __call<(lambda at
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h:259:23)
> &, clang::ento::BugReporterContext &, clang::ento::BugReport &>
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/__functional_base:317
> #14 0xa32751d in operator()
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1540
> #15 0xa32751d in
> std::__1::__function::__func<clang::ento::CheckerContext::getNoteTag(std::__1::function<std::__1::basic_string<char,
> std::__1::char_traits<char>, std::__1::allocator<char> > ()>&&,
> bool)::'lambda'(clang::ento::BugReporterContext&, clang::ento::BugReport&),
> std::__1::allocator<clang::ento::CheckerContext::getNoteTag(std::__1::function<std::__1::basic_string<char,
> std::__1::char_traits<char>, std::__1::allocator<char> > ()>&&,
> bool)::'lambda'(clang::ento::BugReporterContext&,
> clang::ento::BugReport&)>, std::__1::basic_string<char,
> std::__1::char_traits<char>, std::__1::allocator<char> >
> (clang::ento::BugReporterContext&,
> clang::ento::BugReport&)>::operator()(clang::ento::BugReporterContext&,
> clang::ento::BugReport&)
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1714
> #16 0xa990926 in operator()
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1867:16
> #17 0xa990926 in operator()
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:2473
> #18 0xa990926 in generateMessage
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h:572
> #19 0xa990926 in
> clang::ento::TagVisitor::VisitNode(clang::ento::ExplodedNode const*,
> clang::ento::BugReporterContext&, clang::ento::BugReport&)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp:2879
> #20 0xa94b59f in
> generateVisitorsDiagnostics(clang::ento::BugReport*,
> clang::ento::ExplodedNode const*, clang::ento::BugReporterContext&)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:2634:19
> #21 0xa9417b3 in findValidReport
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:2674:9
> #22 0xa9417b3 in
> clang::ento::PathSensitiveBugReporter::generatePathDiagnostics(llvm::ArrayRef<clang::ento::PathDiagnosticConsumer*>,
> llvm::ArrayRef<clang::ento::BugReport*>&)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:2708
> #23 0xa948006 in
> clang::ento::BugReporter::generateDiagnosticForConsumerMap(clang::ento::BugReport*,
> llvm::ArrayRef<clang::ento::PathDiagnosticConsumer*>,
> llvm::ArrayRef<clang::ento::BugReport*>)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:3032:5
> #24 0xa93c090 in
> clang::ento::BugReporter::FlushReport(clang::ento::BugReportEquivClass&)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:2893:7
> #25 0xa93a72e in clang::ento::BugReporter::FlushReports()
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/BugReporter.cpp:2308:5
> #26 0xa23ec21 in RunPathSensitiveChecks
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:816:24
> #27 0xa23ec21 in (anonymous
> namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int,
> clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*,
> llvm::DenseMapInfo<clang::Decl const*> >*)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:774
> #28 0xa1f6203 in HandleDeclsCallGraph
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:556:5
> #29 0xa1f6203 in runAnalysisOnTranslationUnit
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:607
> #30 0xa1f6203 in (anonymous
> namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:637
> #31 0xad37ae0 in clang::ParseAST(clang::Sema&, bool, bool)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/Parse/ParseAST.cpp:171:13
> #32 0x7ad09b9 in clang::FrontendAction::Execute()
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:935:8
> #33 0x79ae417 in
> clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:946:33
> #34 0x7d27c53 in
> clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:291:25
> #35 0xcc5084 in cc1_main(llvm::ArrayRef<char const*>, char const*,
> void*)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/tools/driver/cc1_main.cpp:250:15
> #36 0xcbcadc in ExecuteCC1Tool
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/tools/driver/driver.cpp:309:12
> #37 0xcbcadc in main
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/tools/driver/driver.cpp:381
> #38 0x7fa63d18f2e0 in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
> #39 0xbed7c9 in _start
> (/b/sanitizer-x86_64-linux-fast/build/llvm_build_asan/bin/clang-10+0xbed7c9)
>
> Address 0x7fa639ecfa30 is located in stack of thread T0 at offset 48 in
> frame
> #0 0xa32780f in
> std::__1::__function::__func<getNoteTag(clang::ento::CheckerContext&,
> clang::ento::DynamicCastInfo const*, clang::QualType, clang::Expr const*,
> bool, bool)::$_0,
> std::__1::allocator<getNoteTag(clang::ento::CheckerContext&,
> clang::ento::DynamicCastInfo const*, clang::QualType, clang::Expr const*,
> bool, bool)::$_0>, std::__1::basic_string<char,
> std::__1::char_traits<char>, std::__1::allocator<char> > ()>::operator()()
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1713
>
> This frame has 4 object(s):
> [32, 176) 'Msg.i.i.i.i' <== Memory access at offset 48 is inside
> this variable
> [240, 288) 'Out.i.i.i.i'
> [320, 344) 'ref.tmp.i.i.i.i'
> [384, 408) 'ref.tmp14.i.i.i.i'
> HINT: this may be a false positive if your program uses some custom
> stack unwind mechanism, swapcontext or vfork
> (longjmp and C++ exceptions *are* supported)
> SUMMARY: AddressSanitizer: stack-use-after-scope
> /b/sanitizer-x86_64-linux-fast/build/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:22
> in __asan_memcpy
> Shadow bytes around the buggy address:
> 0x0ff5473d1ef0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
> 0x0ff5473d1f00: f1 f1 f1 f1 00 00 00 f2 f2 f2 f2 f2 00 00 00 00
> 0x0ff5473d1f10: f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 f8 f8 f8 f8
> 0x0ff5473d1f20: f8 f8 f8 f8 f3 f3 f3 f3 00 00 00 00 00 00 00 00
> 0x0ff5473d1f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0ff5473d1f40: f1 f1 f1 f1 f8 f8[f8]f8 f8 f8 f8 f8 f8 f8 f8 f8
> 0x0ff5473d1f50: f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 f2 f8 f8
> 0x0ff5473d1f60: f8 f8 f8 f8 f2 f2 f2 f2 f8 f8 f8 f2 f2 f2 f2 f2
> 0x0ff5473d1f70: f8 f8 f8 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
> 0x0ff5473d1f80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
> 0x0ff5473d1f90: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> Shadow gap: cc
> ==43337==ABORTING
>
> --
>
> Thanks for your notes! Also @xazax.hun may you are interested in this
> lifetime issue.
>
>
> Repository:
> rL LLVM
>
> CHANGES SINCE LAST ACTION
> https://reviews.llvm.org/D66325/new/
>
> https://reviews.llvm.org/D66325
>
>
>
> _______________________________________________
> cfe-commits mailing list
> cfe-commits at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20190821/01b32402/attachment-0001.html>
More information about the cfe-commits
mailing list